D-Link DFL-1660 User Manual page 244

4.7.1. Overview
To better explain this, let us consider a VLAN vlan5 which is defined on two physical interfaces
called if1 and if2. Both physical interfaces have switch routes defined so they operate in transparent
mode. Two VLAN interfaces with the same VLAN ID are defined on the two physical interfaces
and they are called vlan5_if1 and vlan5_if2.
For the VLAN to operate in transparent mode we create a routing table with the ordering set to only
and which contains the following 2 switch routes:
Instead of creating individual entries, an interface group could be used in the above routing table.
No other non-switched routes should be in this routing table because traffic that follows such routes
will be tagged incorrectly with the VLAN ID.
Finally, we must associate this routing table with its VLAN interface by defining a Policy Based
Routing Rule.
Enabling Transparent Mode Directly on Interfaces
The recommended way to enable Transparent Mode is to add switch routes, as described above. An
alternative method is to enable transparent mode directly on an interface (a check box for this is
provided in the graphical user interfaces). When enabled in this way, default switch routes are
automatically added to the routing table for the interface and any corresponding non-switch routes
are automatically removed. This method is used in the detailed examples given later.
High Availability and Transparent Mode
Switch Routes cannot be used with High Availability and therefore true transparent mode cannot be
implemented with a NetDefendOS High Availability Cluster.
Instead of Switch Routes the solution in a High Availability setup is to use Proxy ARP to separate
two networks. This is described further in Section 4.2.6, "Proxy ARP". The key disadvantage with
this approach is that firstly, clients will not be able to roam between NetDefendOS interfaces,
retaining the same IP address. Secondly, and more importantly, their network routes will need to be
manually configured for proxy ARP.
Transparent Mode with DHCP
In most Transparent Mode scenarios, the IP address of users is predefined and fixed and is not
dynamically fetched using DHCP. Indeed, the key advantage of Transparent Mode is that these
users can plug in anywhere and NetDefendOS can route their traffic correctly after determining their
whereabouts and IP address through ARP exchanges.
However, a DHCP server could be used to allocate user IP addresses in a Transparent Mode setup if
desired. With Internet connections, it may be the ISP's own DHCP server which will hand out public
IPv4 addresses to users. In this case, NetDefendOS MUST be correctly configured as a DHCP
Relayer to forward DHCP traffic between users and the DHCP server.
It may be the case that the exact IP address of the DHCP server is unknown but what is known is the
Ethernet interface to which the DHCP server is connected. To enable DHCP requests to be relayed
through the firewall, the following steps are needed:
• Define a static route which routes the IPv4 address 255.255.255.255 to the interface on which
the DHCP server is found.
Network
all-nets
all-nets
244
Chapter 4. Routing
Interface
vlan5_if1
vlan5_if2